[Snort-users] Monitor progress and ETA while running snort

John Byrne jbyrnescu at gmail.com
Sat Oct 13 14:23:22 EDT 2018


I’m assuming this doesn’t work for snort v2.9.11.1?  It doesn’t work for me. But it seems the snort 3 manual has this.

Do you know when this was added?

Curiously,

John Byrne

> On Oct 12, 2018, at 6:49 AM, Assaf via Snort-users <snort-users at lists.snort.org> wrote:
> 
> Thanks! I didn't knew about the USR1 trick.
> 
> On Thu, Oct 11, 2018, 15:51 Carter Waxman (cwaxman) <cwaxman at cisco.com <mailto:cwaxman at cisco.com>> wrote:
> kill –USR1 (snort pid) and snort will dump stats to stdout. See “Packet I/O Totals” for packets read so far.
> 
> --pcap-list will run a batch of pcaps, but be aware that Snort resets between each pcap so you would probably still need to do your merge.
> 
>  
> 
> From: Snort-users <snort-users-bounces at lists.snort.org <mailto:snort-users-bounces at lists.snort.org>> on behalf of Assaf via Snort-users <snort-users at lists.snort.org <mailto:snort-users at lists.snort.org>>
> Reply-To: Assaf <assaf.morami at gmail.com <mailto:assaf.morami at gmail.com>>
> Date: Thursday, October 11, 2018 at 12:56 AM
> To: "snort-users at lists.snort.org <mailto:snort-users at lists.snort.org>" <snort-users at lists.snort.org <mailto:snort-users at lists.snort.org>>
> Subject: [Snort-users] Monitor progress and ETA while running snort
> 
>  
> 
> Hi, I just wanted to share how I monitor progress and ETA while running snort from a pcap file.
> 
>  
> 
> If I have only one pcap I use pipe viewer (the pv command) like this:
> 
>  
> 
> pv x.pcap | snort -r -
> 
>  
> 
> If I have more than one pcap, e.g. from a big tcpdump run, I merge all of them on the fly using joincap ( https://github.com/assafmo/joincap <https://github.com/assafmo/joincap> ) like this:
> 
>  
> 
> joincap *.pcap | pv -s $(du -bc *.pcap | awk '/total/{print $1}') | snort -r -
> 
>  
> 
> This way pv print progress and ETA information while snort is running. :-)
> 
>  
> 
> Shameless plug - I wrote joincap specifically for these kind of situations, because mergecap and tcpslice does not handle errors very well. 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
> 
> 	To unsubscribe, send an email to:
> 	snort-users-leave at lists.snort.org
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20181013/12eac3e3/attachment.html>


More information about the Snort-users mailing list